Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Monday, January 13, 2014

On withdrawing your [RSA Conference] talk in protest

By now the news has settled a bit in people's brains, that RSA (the company) was allegedly paid by the NSA some $10M to weaken encryption. Reuters broke the story with this quote:

"Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September."

Enough about the alleged wrongdoings of an encryption company and our own National Security Agency. Whether they did it, or they didn't, needs to be vetted in public, and RSA not denying the allegations is making this issue even more interesting. But let's talk about some of the fallout in the security community.

What has become interesting is the slow trickle of #InfoSec echo chamber big-shots that have been 'cancelling their talk' at RSA. Now, I'm not criticizing anyone's moral imperative ... but if you're cancelling your talk/training/etc long after many of the attendees have purchased their tickets and scheduled their attendance - who are you really hurting? This is a sticking point with me. If you're going to take a stand against RSA's alleged malfeasance, then you should do it in a way that creates the least amount of collateral damage, and cancelling your talk or training is a, in my personal opinion, poor choice.

So, here are a few things you could do instead of cancelling your appearance and screwing over attendees:

Make a T-shirt that says "RSA has violated our trust" and wear it during your talk

Take 2 minutes at the start of you talk, and discuss the issue you're taking with RSA's alleged behavior

Blog about the issue and publicize it

Change your talk, without telling the organizers, to be about the damage that their alleged wrong-doing have caused

Speak at the conference, but refuse to give RSA any positive press

Speak at Security BSides SF and draw attention to the issue

Make a sign and stand outside the RSA Conference venue in protest

Refuse to buy/use/endorse RSA products/services

Urge others to refuse to buy/use/endorse RSA products/services

Work with the industry to identify and flag uses of the weakened crypto component in software packages - as a vulnerability finding

..there are, of course, many more ways to protest. You don't need to hurt the attendees in the process, and I think that's exactly what cancelling your talk and refusing to speak does in the end.

My $0.1999 ...if you disagree or believe I'm wrong - use the comments section or catch me on Twitter.

Disagree. The way you hurt the conference is to devalue it. RSA has devalued the industry by allowing it to be bought and sold. They should be fiscally punished and if this means that because talks are cancelled then attendance declines this, or next year, then the point has been made.

A better approach than the ones you offered is an extended BSides - covering the entirety of the conference, not at the conference - but in close proximity. This retains value for the attendees and content, but removes that from RSA, this also leaves room for a "replacement" conference to unfold and not make it awkward for presenters to "wear a shirt" or "make a statement". It seems as if your suggestions are to keep people there, so they can visit the sponsoring booths... Seems like the MO of an event sponsor.

Dear "unknown": My current employer sponsors the conference, but I am not writing as an employee of that organization, rather on my own. I believe your alternatives are fine, and I'm good with them - but not speaking and pulling out only hurts the people who have already paid and will be attending.Now, if those "big draw" people were to decline for NEXT YEAR and state this as their reason - then I'm totally on board with you.I think it's too convenient for you to dismiss my point of view like you do in the last few sentences - but hey, you're allowed to think what you'd like, and I don't mind dissent.

I agree. Cancel your talks for NEXT years con not this years. People have already paid for their tickets and some people go purely to watch a certain persons talk. Boycott them well in advance and inform your fans you're going to be doing so

Good article. I have hear a lot of talk about how RSA is no longer the only driving force behind the RSA Conference. If this is indeed the case, then perhaps the folks that run the RSA Conference should rebrand and spend the next year advertising the new branding. This rebranding would allow the conference to continue without RSA benefiting from the association with the conference brand. If the rebranding concept fails to hold merit, I like the idea of a competing conference running at the same time as RSA at a venue very close to the RSA venue.

Good article. I have heard a lot of talk about how RSA is no longer the primary driving force behind the RSA Conference. If this is indeed the case, then perhaps the folks that run the RSA Conference should rebrand and spend the next year advertising the new branding. This rebranding would allow the conference to continue without RSA benefiting from the conference brand. If the rebranding concept fails to hold merit, I like the idea of a competing conference running at the same time as RSA at a venue very close to the RSA venue. The attendance statistics could speak volumes. Maybe a ShmooCon West?

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.